Local Group Policy is assigning only to user with admin rights !!???

V

Volkan Senguel

Hi i have 2 Terminal Server with Win2000 & SP4 (US).

The problem is that the local gpo is only assigned to user who have local
admin rights on the server!?

I've checked the directory ACL on C:Winnt\system32\GroupPolicy and
permissions has only:

TerminalServerUsers - Read & Browse (ADS Group)
System - Full Access (Local)

The strange thing is that only user with local/domain admin rights get the
Policys applied (Admin are not on the folder ACL).

?????????????

What must i have to get he policys work like yesterday, on this day whe had
no probs with the gpo.

the only thing that we changes is on the local security settings:

Local Policies
User Rights Assignment
Impersonate a client after authentication
Create global object

I gave the TerminalServerUsers access th this policy because since
ServicePack4 is this option disabled and some apps dosnt work on TS without
this settings....

But i have resetted this, restarded the Servers and .... the same -> User
gets no policies

Has any one a hint or a tip for me to solve this problem?

thanks in advance for any feedback
Volkan S.
 
C

Cary Shultz [A.D. MVP]

Volkan,

Gruesse Dich!

I am not familiar with your set up but I might suggest that you take a look
at MSKB 278298 to see how you can use GPOs in a Terminal Server environment.
Typically one would put the computer account object in an OU by itself ( or
with other computer account objects if you have multiple Terminal Servers )
and then create a GPO using Loopback ( probably in replace mode ) linked to
that particular OU in which the computer account object is located, taking
care to remove the 'Authenticated Users' security group from the security
tab on that GPO and replace it with a 'home-grown' security group that
contains only all of the user account objects that will access the TS. Give
this group the READ and APPLY GROUP POLICY rights and away you go. The
Administrator account will not be affected by this GPO ( and, thus, have
full unrestricted access ) as it is not a member of the 'home-grown'
security group.

Now, remember how policies are applied: local, site, domain, OU.

Have you thought about using gpotool or gpresult to see exactly what is
going on?

HTH/mfg,

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy vs Local Admin 4
local admin w/o network rights 2
Group Policy and Local Policy 2
Group Poicy and local admin rights 1
Local Audit Policy effective rights 3
Local Admin Group Policy 3
Local Admin Rights 3
Cleaning up Local Group Policy 3

Top